[ISN] Decades after creation, viruses defy cure

From: InfoSec News (isn@private)
Date: Tue Nov 25 2003 - 23:44:13 PST

  • Next message: InfoSec News: "[ISN] A latte, a Wi-Fi link and a hacker"

    Forwarded from: William Knowles <wk@private>
    
    http://news.com.com/2009-7349_3-5111410.html
    
    By Robert Lemos
    Staff Writer, CNET News.com
    November 25, 2003
    
    Of all the accomplishments in the annals of technology, Fred Cohen's 
    contribution is undeniably unique: He introduced the term "virus" to 
    the lexicon of computers.
    
    The University of New Haven professor used the phrase in a 1984 
    research paper, in which he described threats self-propagating 
    programs pose and explored potential defenses against them. When he 
    asked for funding from the National Science Foundation three years 
    later to further explore countermeasures, the agency rebuffed him. 
    
    "They turned it down," said Cohen, who is also principal analyst for 
    research firm Burton Group. "They said it wasn't of current interest." 
    
    Two decades later, countless companies and individuals are still 
    paying for that mistake. The technology industry has yet to find a 
    blanket solution to the ever-growing list of viruses and worms that 
    constitute the greatest risk to computers on the Internet. Every year, 
    companies lose billions of dollars when forced to halt work and deal 
    with infectious digital diseases, such as Sobig and Slammer. 
    
    While much attention has been paid to the malicious online attackers 
    who exploit technology's vulnerabilities, little has been documented 
    about the origins of the virus. Its early iterations were not created 
    by malcontent teenagers or antisocial geeks but by campus researchers, 
    system administrators and a handful of old-school hackers who thought 
    that the ability to reproduce their programs automatically was a neat 
    trick. 
    
    The result is a tale of technical genius, academic naivete, 
    bureaucratic arrogance and humans' penchant for tearing down 
    institutions simply for the sake of doing so. 
    
    Sarah Gordon, senior research fellow at Symantec Security Response, 
    caught her first computer virus more than a decade ago. She became so 
    fascinated with the phenomenon that she spent several years studying 
    the underground world of virus writers. 
    
    "The design of the Internet facilitates the distribution of 
    information--all sorts of information; it's a double-edged sword," 
    Gordon said in a recent e-mail interview. "Even if (viruses) are not 
    designed to be intentionally malicious or dangerous, if they get 
    outside of a controlled environment, there can be unexpected results." 
    
    That was precisely what happened with the fathers of the computer 
    virus: The exponential doubling of viral code can greatly magnify 
    minor errors and become the difference between a harmless prank and a 
    devastating attack. Unlike the simple technologies behind isolated 
    attacks on the Internet, the ability to propagate adds a level of 
    complexity that often stymies the virus writers themselves. Although 
    many programs quickly fizzle out, others have far outgrown the 
    intentions of their authors. 
    
    Cohen had an inkling of much of the future when he first thought up 
    the idea in November 1983 as a University of Southern California 
    graduate student. During a weekly seminar on computer security, he 
    conceived of a program that could infect other systems with copies of 
    itself. 
    
    "All at once, a light bulb came on, and I said, 'Aha!'" Cohen 
    recalled. "Within a few seconds, I knew how to write the program and 
    that it would work." 
    
    His adviser at the time, Len Adleman--well known as a creator of 
    public-key encryption and the "A" in a popular form of the security 
    technology known as RSA (Rivest, Shamir & Adleman)--suggested that the 
    programs were the digital analogy of viruses. The name stuck. 
    
    The birth of a concept
    
    In a paper published the next year, he defined a virus as "a program 
    that can 'infect' other programs by modifying them to include a 
    possibly evolved copy of itself." Cohen proved that such a virus could 
    spread through any system that allows information to be shared, 
    interpreted in a general manner and given away, despite the presence 
    of security technologies. 
    
    To demonstrate its potential dangers, Cohen created a test program to 
    see how quickly the virus could spread and undermine the security of a 
    mainframe computer system. He implanted the program in a command that 
    presents Unix file structures graphically, then conducted five attack 
    runs. 
    
    The virus managed to "gain system rights"--essentially seizing control 
    of the computer--within an average of half an hour. The shortest run 
    took five minutes. 
    
    "It could spread with all the security technologies out there at the 
    time," Cohen said. "The concept showed that the least trusted user is 
    the weakest link, and the program can quickly spread up to the most 
    trusted user." 
    
    Cohen's work provided a concrete definition of a virus and showed how 
    other programs, such as worms, are a subset of that definition. But a 
    few viruslike programs existed before his research, and many of its 
    theoretical underpinnings were established by John von Neumann, one of 
    the founding fathers of computer science. 
    
    Born in Hungary in 1903, von Neumann was responsible for seminal work 
    in many branches of computer science, mathematics and physics, 
    including logical analysis of a strategy called game theory and the 
    newly born branch of quantum physics. Between 1948 and 1956, he 
    extended much of the work of one of his peers, famed computer 
    scientist Alan Turing. 
    
    Turing had come up with an idea for a universal computing system, a 
    logical construct that could solve a wide variety of problems by using 
    a processor and a tape to store programs and data. Computers still use 
    the basic division of labor Turing identified: processors and storage. 
    
    Von Neumann expanded Turing's concept to the creation of a universal 
    constructor, a system that could replicate itself. This 
    self-reproducing automaton, as he called it, used tens of thousands of 
    elements--each of which could be in any of 29 states--to create 
    another automaton on an imaginary grid. The system was so complex that 
    it took more than 40 years for even a limited version of it to be 
    implemented in hardware. 
    
    Survival of the fittest program
    
    Von Neumann's work later served as the foundation for a new branch of 
    computer science known as cellular automata theory, and it inspired 
    other researchers to create simpler computer "creatures" and the field 
    of artificial life. His pioneering research also spurred three Bell 
    Labs researchers to put his ideas into action in the early 1960s. 
    
    In August 1961, researcher Victor Vyssotsky invented a game, dubbed 
    "Darwin," in which small programs competed with one another to 
    dominate a digital landscape. His colleague Douglas McIlroy programmed 
    much of the game, including the code that would run the simulation. 
    The third researcher, Robert Morris Sr., created a lethal digital 
    creature that evolved and passed along its successful attack to its 
    progeny. 
    
    "It was clear that by tinkering the rules to introduce a bit of 
    uncertainty into the game, we could have revived it after Morris' 
    devastating entry, but we had other things to do," said McIlroy, now 
    an adjunct professor in the computer science department at Dartmouth 
    College. The game ran on an IBM 7090 system and was largely forgotten. 
    
    However, the researchers and their progeny were to have a profound 
    impact on computers and the Internet. 
    
    Morris went to work for the National Security Agency. In November 
    1988, his son, Robert Jr., created the first worm to spread widely 
    across the Internet. While "Darwin" didn't survive the evolution of 
    its IBM 7090 computer system, the researchers' recreational activities 
    led to the invention of a more popular game called "Core War," where 
    players write battle programs in a language called Redcode and duke it 
    out in a virtual-memory arena dubbed the Memory Array Redcode 
    Simulator, or MARS. Many aficionados still play the game on the 
    Internet. 
    
    But those digital creatures were all contained in artificial 
    environments. It took a different game to help introduce viruses to 
    computers and spread infections worldwide. 
    
    That game was "Animal," a program akin to "20 Questions," which became 
    highly popular among mainframe computer operators in the 1970s. The 
    game would ask a person to think of an animal and then ask questions 
    for clues as to the type of creature it was. If the program guessed 
    wrong, it would ask the player to provide a question and an answer 
    that would differentiate the new animal. 
    
    John Walker, a UNIVAC (Universal Automatic Calculator) systems 
    programmer for a large multinational firm, created his own version of 
    the game in 1974, improving it so that erroneous information one 
    player enters could eventually be corrected by another. The game was 
    an immediate hit. 
    
    "I started getting calls from people at other UNIVAC installations 
    asking for tapes of the game," he said. 
    
     From games to viruses
    
    In the pre-Internet days, Walker found himself telling people to mail 
    him a tape, onto which he would copy the program and return it. He 
    quickly tired of the laborious process: "It was really annoying and 
    got me thinking on how best to distribute the game. That's when I 
    thought about making it self-reproducing." 
    
    In January 1975, Walker created another program, "Pervade," which 
    would hitch a ride with a new version of "Animal." Any time someone 
    played the "Animal" game, Pervade would also start running to check 
    directories, duplicate itself in any directory that didn't already 
    have a copy and overwrite any older versions. 
    
    Walker recalls reflecting on the implications of the program for a 
    couple of months to ensure that he hadn't made any damaging errors. 
    Then he released it. 
    
    Within a week, UNIVAC administrators at another corporate office 
    started reporting that "Animal" had suddenly appeared on their system. 
    Weeks later, other companies discovered the program on their systems 
    as well. 
    
    "A few months later, a lot of people started talking about it, and 
    that meant more people were asking for it," Walker said. "It 
    propagated as much by word of mouth as by copying itself to new 
    directories." 
    
    The Pervade program stopped working when UNIVAC released a new version 
    of the operating system that changed its directory structure. But 
    Walker insists that a modified copy of his program could have easily 
    overcome its new security features. 
    
    "UNIVAC was putting forth all these security methods, and here was an 
    example of a threat that all the defenses couldn't do anything about," 
    he said in comments Cohen would echo a decade later. Walker went on to 
    found Autodesk in the early 1980s, and he remains the largest 
    individual stockholder in the company. 
    
    In a testament to the unpredictable nature of viruses, even Walker 
    guessed wrong about how long his self-replicating creation would last. 
    He recently talked to an administrator of a Unisys 2200 system, a 
    descendent of the UNIVAC computers, who reported that the program 
    still runs on his machine. 
    
    "It's still looking for file system tables that are 30 years out of 
    date," Walker said. 
    
    The host in the machine
    
    Viruses proliferated exponentially with the popularity of desktop 
    computers. Not only did individual computers enlarge the pool of hosts 
    a virus could infect, but they also yielded a new techno-savvy 
    generation armed with the knowledge to create such programs. 
    
    Rich Skrenta fit the bill to a tee: A Pittsburgh-area ninth-grader in 
    1982, he knew a lot about the Apple II and loved to use software to 
    play practical jokes on his classmates. The then-teenager supplied his 
    friends with Apple II programs to which he had added some custom 
    "features," such as the machine's ability to shut down automatically 
    after being used just a few times or to display a taunting message. 
    
    "After I had done this a number of times, no one would take games from 
    me anymore," said Skrenta, now the president of his own, 
    soon-to-be-launched search start-up, Topix.net. "And so, I was 
    puzzling on how to get my tricks onto their disks." 
    
    That's when he got the idea to write a self-propagating program that 
    would infect Apple II disks. Skrenta's idea for "cloner" programs--he 
    didn't employ the term virus--would infect a popular command on the 
    system disks used by the Apple II. The program he created, called Elk 
    Cloner, counted how often a disk had been used and, on every fifth 
    run, made the computer shut down or perform some other "trick." Every 
    50th time the computer started up, Elk Cloner would display a little 
    poem. 
    
    Four years later, two Pakistani brothers, Amjad and Basit Farooq Alvi, 
    created the first computer virus to infect IBM PCs. Known as the Brain 
    virus, the brothers used the program as a piece of true viral 
    marketing: Each copy caused a message to flash on the screen, 
    advertising the brothers' company, Brain Computer Services of Lahore, 
    Pakistan. 
    
    "Beware of this VIRUS...Contact us for vaccination," stated the 
    message, which can be found on their Internet site today. 
    
    That was only the beginning. Although viruses and worms took more than 
    a decade to emerge in significant numbers, they soared in subsequent 
    years. By the end of 1990, about 200 viruses had been identified. 
    Today, that number has jumped to more than 70,000. Although less than 
    1 percent of those viruses have compromised computers on the Internet, 
    more than 80 percent of companies suffered a digital infection, 
    according to the Computer Security Institute. 
    
    Symantec's Gordon said most virus creators--not unlike their 
    predecessors--still don't understand the ability of the programs to 
    spread throughout the Internet. "They tend to be curious--often 
    articulate individuals with a variety of relationship and interaction 
    styles," she said. 
    
    Cohen, however, said the scientific heavy lifting for today's Internet 
    viruses was done in the 1980s. Everything else, he said, is just 
    mechanics. 
    
    "Everything that we know now was known then," he said. "Everything we 
    see now is just an engineering solution based on old science."  
    
    
    
    *==============================================================*
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    ----------------------------------------------------------------
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    ================================================================
    Help C4I.org with a donation: http://www.c4i.org/contribute.html
    *==============================================================*
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Nov 26 2003 - 02:07:48 PST